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Abstract — Zero-Slack  Rate-Monotonic  (ZSRM)  is  a  family  of 
mixed-criticality  schedulers  which  are  based  on  fixed-priority 
preemptive  scheduling.  One  scheduler  (which  we  call  ZSRM- 
S)  09  works  as  follows:  a  job  J  is  suspended  at  time  t  if 
at  time  t  there  is  a  higher-criticality  job  J'  that  has  not 
finished  and  t  minus  the  arrival  time  of  J'  exceeds  a  per- 
task  configurable  parameter  (which  we  call  zero-slack  offset). 
ZSRM-S  has  two  advantages  compared  to  other  mixed-criticality 
schedulers:  (i)  adaptation  is  local;  i.e.,  there  is  no  system-wide 
mode  change  needed  and  (ii)  resumption  is  simple  and  natural. 
ZSRM-S  has  one  drawback  Q:  a  high-criticality  job  J'  can  suffer 
from  interference  from  a  low-criticality  job  J  that  resumed  after 
being  suspended  by  another  high-criticality  job  J"  (carry-in). 
Therefore,  a  variant  of  ZSRM  (which  we  call  ZSRM-SE)  has  been 
proposed  it  uses  an  enforcement  mechanism  to  avoid  carry-in. 
With  ZSRM-SE,  if  a  high-criticality  job  causes  a  low-criticality 
job  to  suspend  and  the  high-criticality  job  has  performed  more 
execution  than  a  certain  bound  then  the  low-criticality  job  shall 
not  resume.  We  consider  constrained-deadline  sporadic  tasks 
scheduled  by  ZSRM-S  and  present  an  exact  schedulability  test 
which  solves  a  Mixed-Integer  Linear  Program  (MILP).  We  also 
present  that  result  for  ZSRM-SE. 

I.  Introduction 

The  problem  of  scheduling  real-time  tasks  with  different 
criticalities  is  not  new  0  HD  but  the  trend  towards  the 
increasing  use  of  embedded  computers  and  consolidating 
multiple  functionalities  onto  a  single  computer  platform  has 
increased  the  importance  of  this  problem.  For  this  reason,  re¬ 
searchers  have,  during  recent  years,  developed  more  advanced 
schedulers  and  analysis  methods  for  systems  with  tasks  of 
different  criticalities.  The  literature  is  extensive  —  see  a 
for  an  excellent  survey.  Today,  most  schedulers  for  mixed 
criticality  systems  (MCS)  rely  on  three  ideas: 

11.  A  task  is  assigned  a  criticality  level; 

12.  If  it  is  impossible  to  meet  all  deadlines  and  the  scheduler 
has  to  let  one  task  miss  a  deadline  then  the  scheduler  should 
let  a  lower  criticality  task  miss  a  deadline; 

13.  The  execution  time  of  a  task  is  characterized  by  multiple 
numbers;  each  number  is  believed  to  be  an  upper  bound  on 
the  execution  time  of  the  task  but  the  confidence  one  has  in 
this  belief  is  different  for  different  numbers. 

The  research  community  has  used  these  ideas  in  different 
ways.  One  way  is  to  extend  schedulability  analysis  for  classic 
fixed-priority  or  Earliest-Deadline-First  so  that  when  perform¬ 
ing  schedulability  analysis  to  determine  if  task  r,  meets  its 
deadlines  then  execution  times  of  other  tasks  must  be  selected 
to  be  on  the  same  confidence  level  as  the  criticality  of  task  r,  . 
It  was  found  that  many  of  the  optimality  results  in  non-MCS 
scheduling  do  not  apply  to  MCS  scheduling  HU  El-  Other 


works  use  run-time  monitoring  and  adaptation;  check  if  a  low 
criticality  task  has  executed  for  more  than  it  should  and  if  so, 
the  system  switches  to  a  high-critical  mode  where  only  high- 
critical  tasks  are  allowed  to  execute  ID-  Such  an  approach  has 
two  drawbacks:  (i)  it  uses  a  system-wide  mode  and  hence  a 
system-wide  mode-change  is  needed  and  (ii)  it  specifies  how 
to  switch  from  normal  mode  to  an  overload  mode  but  typically 
does  not  specify  how  to  switch  back.  We  believe  an  alternative 
should  be  sought  and  hence,  we  consider  the  following  idea: 

14.  Before  run-time,  for  each  task  t,,  compute  a  parameter 
Zi  and  at  run-time,  if  a  job  of  task  r,  has  not  finished  at  time 
Zi  after  its  arrival  then  take  action  to  adapt. 

This  idea  has  been  used  for  non-MCS  and  for  this  context, 
the  action  taken  at  Z.t  is  to  change  priorities;  such  use  is 
called  dual-priority  scheduling  EQ.  This  idea  has  been  used 
for  MCS  and  for  this  context,  the  action  taken  is  to  suspend 
jobs;  such  a  scheduler  was  called  ZSRM  a  .  Later  papers  have 
discussed  different  sematics  for  it  0;  therefore,  we  let  ZSRM 
denote  a  family  of  schedulers  rather  than  a  specific  scheduler. 
ZSRM  has  been  useful  as  witnessed  by  the  following  facts: 
previous  work  has  made  available  implementations  of  a  ZSRM 
scheduler  in  the  Linux  kernel  and  in  VxWorks,  as  well  as  a 
sufficient  schedulability  test  for  it  and  this  schedulability  test 
is  available  to  software  practitioners  in  the  OSATE  AADL 
workbench.  And  a  modification  of  it  was  used  in  a  UAV 
system  to  ensure  that  an  overload  in  vision  processing  does 
not  jeopardize  deadline  guarantees  of  flight-control  software 
Hence,  we  believe  ZSRM  is  one  of  the  most  practical 
ideas  in  mixed-criticality  scheduling.  One  scheduler  (which 
we  call  ZSRM-S)  0  works  as  follows:  a  job  J  is  suspended 
at  time  t,  if  at  time  t  there  is  a  higher-criticality  job  J'  that 
has  not  finished  and  t  minus  the  arrival  time  of  J'  exceeds  Z, . 
Hence,  the  S  in  the  name  ZSRM-S  means  suspend.  ZSRM- 
S  has  one  drawback  0:  a  high-criticality  job  J'  can  suffer 
from  interference  from  a  low-criticality  job  J  that  resumed 
after  being  suspended  by  another  high-criticality  job  J"  (carry- 
in).  Therefore,  a  variant  of  ZSRM  (which  we  call  ZSRM-SE) 
has  been  proposed  |21;  it  uses  an  enforcement  mechanism  to 
avoid  carry-in.  With  ZSRM-SE,  if  a  high-criticality  job  causes 
a  low-criticality  job  to  suspend  and  the  high-criticality  job  has 
performed  more  execution  than  a  certain  bound  then  the  low- 
criticality  job  shall  not  resume.  Hence,  the  E  in  the  name 
ZSRM-SE  means  execution-time  monitoring.  Unfortunately, 
no  exact  analysis  was  known  for  these  schedulers. 

Therefore,  in  this  paper,  we  consider  constrained-deadline 
sporadic  tasks  scheduled  by  ZSRM-S  and  present  an  exact 
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M=2 

Ti  =  4  Di  =  4  Ci  =  2  Ci  =  2  Ci  =  1  prioj  =  2  Zi  =  2 
r2  =  10  D2  =  8  C2  =  2.5  C|  =  5  C2  =  2  prio2  =  1  Z2  =  5 

Fig.  1:  An  example  of  a  taskset  in  our  model. 


nji(-R)  =  2 

Ai'i(R)  =  0  ci:i(R)  =  2  Ai:2{R)  =  4  ci,2(-R)  =  2 

nj2(R)  =  1 

A2,i(R)  =  0  c2,i{R)  =  2.5 
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(a)  An  assignment  R  for  the  taskset  in  Fig.  |T|  .. .  _____  ,  _  ,  >  _  _  ,  ^  ,  ,  .  _  m 

6  5  I— I  (b)  ZSRM-S  schedule  of  the  assignment  R  for  the  taskset  in  Fig. Ill 

Fig.  2:  An  assignment  for  the  taskset  in  Fig.  |T]  and  its  ZSRM-S  schedule.  At  time  5,  the  zero-slack  instant  of  72,1  occurs  so 

at  this  time,  jobs  from  tasks  with  lower  criticality  get  suspended;  specifically,  r-1,2  is  suspended  at  this  time.  In  (a),  C2,i(f?)  is 

small  so  that  when  r2.i  finishes,  there  is  still  time  for  t\  2  to  finish  execution  by  its  deadline  (see  (b)).  For  another  assignment 

where  c2. 1  is  five,  T\  2  would  miss  its  deadline. 


schedulability  test  which  solves  a  Mixed-Integer  Linear  Pro¬ 
gram  (MILP).  We  also  present  that  result  for  ZSRM-SE. 

The  rest  of  the  paper  is  organized  as  follows.  Section  [II] 
presents  the  system  model.  Section  III  presents  the  new 
schedulability  test  for  ZSRM-S.  Section  IV  presents  the  new 
schedulability  test  for  ZSRM-SE.  Section  |V|  presents  tools 
that  perform  the  calculations  of  these  schedulability  tests. 
Section  [Vi]  concludes. 


II.  System  model 

Throughout  this  paper,  we  let  s.t.  mean  “such  that”  and 
we  let  :  mean  “it  holds  that”  and  we  let  {x\  f(x)}  denote  a  set 
of  elements  so  that  an  element  x  is  in  the  set  if  and  only  if 
f(x)  is  true.  We  let  (a,  6)  indicate  a  tuple  with  two  elements 
a  and  b.  We  let  [a,  b)  indicate  an  interval  of  real  numbers.  We 
let  {a..b}  indicate  the  set  of  integers  that  are  >  a  and  <  b. 

Static  parameters.  We  consider  a  system  comprising  a 
taskset  r  and  a  computer  platform  comprising  a  single  pro¬ 
cessor.  A  task  Ti  in  r  is  characterized  by  Ti,  Di,  Ci,  C°, 
Q,  prio,,  and  Z,  with  the  interpretation  that  r,;  generates  a 
sequence  of  jobs  with  two  consecutive  jobs  of  t,  having  arrival 
times  separated  by  at  least  Ti  and  each  job  of  r,;  must  finish 
within  Di  time  units,  (j,  indicates  the  criticality  of  Ti.  (If  Q 
is  high  then  the  criticality  of  Ti  is  high.)  prioi  indicates  the 
priority  of  t, .  (If  prio,  is  high  then  the  priority  of  r,  is  high.) 
We  assume  Vr,  g  r:  Gj  <  C°  and  Di  <  Ti.  The  symbol  Z, 
means  zero-slack  offset  of  r,  and  it  is  used  by  the  scheduler 
to  determine  the  time  instant  when  jobs  of  lower  criticality 
should  be  adapted  (e.g.  suspended).  The  symbols  Ci  and  C° 
are  upper  bounds  on  the  execution  time  of  a  job  of  Ti,  the 
reason  for  having  two  upper  bounds  will  be  explained  later  in 
this  section.  For  historical  reasons,  we  refer  to  Ci  as  nominal 
execution  time  and  C°  as  overload  execution  time.  Fig.  [T] 
shows  an  example  of  a  taskset  in  our  model. 

Run-time  behavior  of  ZSRM-S.  Let  Thq  denote  the  qth  job 
of  Tj.  Let  R  denote  an  assignment,  for  each  task,  the  number 
of  jobs  it  generates  and  for  each  of  the  jobs,  an  arrival  time 
and  execution  time.  Certain  quantities  that  we  define  will  be 
a  function  of  the  schedule  and  then  we  let  sc  be  a  schedule. 
Let  nji(i?)  denote  the  number  of  jobs  that  Ti  generates.  Let 
Ai  q(R)  denote  the  arrival  time  of  T.i  q.  Let  cpg(f?)  denote  the 
execution  time  of  rpg.  Let  f^q( sc,  R)  denote  the  finishing  time 
of  Ti.q.  Let  donex.pg(t,  sc,  R)  denote  the  cumulative  duration 


of  execution  of  r,_(J  before  time  t.  Fig.  [3]  shows  predicates 
that  we  use.  elig(i,  q,  t,  r,  R,  sc)  is  a  predicate  that  is  true  if, 
at  time  t,  the  job  r,.,,  has  arrived  but  not  finished  and  t,.(J 
is  not  suspended  at  time  t  because  of  higher-criticality  jobs. 
cligZSRMS(z,  q,  t,  r,  R,  sc)  indicates  that  Ti  q  is  eligible  for 
execution  (i.e.,  it  is  in  the  ready  queue  or  it  is  running)  at  time 
t.  Clearly,  because  of  priority-based  scheduling,  an  eligible  job 
will  only  execute  if  there  is  no  other  eligible  job  with  higher 
priority.  We  use  the  predicate  candZSRMS(i,  q,  t,  r,  R,  sc)  to 
indicate  that  is  a  candidate  for  execution;  i.e.,  Tlql  is 
eligible  and  there  is  no  eligible  job  of  higher  priority.  An 
instant  is  a  ZSRMSschedinst  if  there  is  a  job  that  arrives 
at  this  instant  or  there  is  a  job  that  finishes  at  this  instant  or 
there  is  a  job  that  has  its  zero-slack  instant  at  this  instant  — 
see  Fig.  [3]  At  each  instant  t  such  that  t  is  a  ZSRMSschedinst, 
the  scheduler  does  the  following:  if  there  is  at  least  one  job  Ti  q 
such  that  candZSRMS(i,  q,  t,  r,  R,  sc),  then  arbitrarily  choose 
a  job  rpq  such  that  candZSRMS(i,  q,  t,  t,  R,  sc)  and  execute  it 
on  the  processor  at  time  t  and  let  it  continue  to  execute  until 
the  next  ZSRMSschedinst;  if  there  is  no  job  Tlql  such  that 
candZSRMS(i,  q,  t,  t,  R,  sc),  then  keep  the  processor  idle  at 
time  t  until  the  next  schedinst.  Fig.  [2]  shows  a  schedule  that 
the  taskset  in  Fig.  [T]  can  generate. 

Run-time  behavior  of  ZSRM-SE.  The  run-time  behavior 
of  ZSRM-SE  differs  from  ZSRM-S  only  in  that  with 
ZSRM-SE,  a  job  J  is  terminated  if  there  was  a  time  now 
or  in  the  past  such  that  at  that  time,  there  was  a  higher- 
criticality  job  J'  that  has  reached  its  zero-slack  instant 
and  not  finished  and  executed  for  more  than  its  nominal 
execution  time.  We  specify  this  formally  with  predicates 
in  Fig.  [5]  The  predicate  candZSRMSE(i,  q,  t,  t,  R,  sc 
indicates  that  Tl:q  is  a  candidate  for  execution.  The  predicate 
eligZSRMSE(«,  q,  t,  r,  R,  sc)  indicates  that  T,_q  is  eligible 
for  execution;  if  terminatedZSRMSE(«,  q,  t,  t,  R,  sc) 
is  true  then  is  not  eligible  for  execution.  The 

predicate  terminatedZSRMSE(*,  q,  t,  r,  R,  sc)  is 
true  if  there  is  a  time  t'  such  that  t'  <  t  and 
terminatednowZSRMSE(z,  q,  t! ,  r,  R,  sc).  The  predicate 
terminatednowZSRMSE(i,  q,  t' ,  r,  R,  sc)  is  true  if  there  is 
job  Ti'tqi  such  that  Ci'  >  Ci  and  Ti'>qy  has  arrived  but  not 
finished  and  T,\q'  has  executed  for  more  than  CV  time  units. 

Schedulability  and  schedulability  test  of  ZSRM-S.  We 
say  that  a  job  Tii<?  is  success  if  its  finishing  time  is  at  most 
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ZSRMSschedinst(t,  r,  R,  sc)  =(3 (i,q)  s.t.  (n  G  r)  A  (q  G  l-.nj^R))  A  ((AitQ(R)  =  t)  V  (fi,q{R,  sc)  =  I)  V  (Ai>q(R)  +  Zi  =  t))) 

ZSRMSEschedinst(t,  r,  R,  sc)  =(3(i,q)  s.t.  (r»  G  r)  A  (g  G  l-.nj^R))  A  ((Aii9(R)  =  t)  V  (fi,q{R,  sc)  =  I)  V  (A;i9(R)  +  Zi  =  i)V 

(doneXj>>g/(t,sc,  R)  =  CV))) 
arrived(i,  q,  t,  r,  R,  sc)  =  (A;,9(R)  <  f) 

Zd(i,  g,  t,  t,  R,  sc)  =(A;,9(R)  +  Zi  <  t) 
finZSRMS((,  g,  t,  t,  R,  sc)  =(/;,9( sc,  R)  <  t) 
finZSRMSE(i,  g,  t,  r,  R,  sc)  =((/;, 9( sc,  R)  <  t)  V  (terminated(i,  g,  t,  r,  R,  sc))) 
arrivednotfinZSRMS(j,  g,  t,  r,  R,  sc)  =  ((arrived(i,  g,  t,  t,  R,  sc))  A  (-ifinZSRMS(*,  g,  t,  r,  R,  sc))) 
arrivednotfinZSRMSE(i,  g,  t,  r,  R,  sc)  =((arrived(i,  g,  t,  r,  R,  sc))  A  (-ifinZSRMSE(i,  q ,  t,  r,  R,  sc))) 

ZdnotfinZSRMS(i,  g,  t,  r,  R,  sc)  =((Zd(i,  q,  t,  r,  R,  sc))  A  (-ifinZSRMS(i,  q,  t,  t,  R,  sc))) 

ZdnotfinZSRMSE(i,  q,  t,  r,  R,  sc)  =((Zd(i,  q,  t,  r,  R,  sc))  A  (-ifinZSRMSE(i,  g,  t,  r,  R,  sc))) 
lowexZSRMSE(i,  q,  t,  r,  R,  sc)  =(donexi,9(t,  sc,  R)  <  Ci) 

ZdllotfinlowexZSRMSE(^,,  q  ,  t,  r,  R,  sc)  =((ZdnotfinZSRMSE(i,  q,  t,  t,  R,  sc))  A  (lowexZSRMSE(i,  g,  t,  r,  R,  sc))) 
ZdnotfinhiexZSRMSE(i/,  q' ,  t,  r,  R,  sc)  =((ZdnotfinZSRMSE(i,  q,  t,  r,  R,  sc))  A  (->lowexZSRMSE(i,  q,  t,  t,  R,  sc))) 
suspendednowZSRMS(*,  q,  t,  t,  R,  sc)  =(37yj9'  s.t.  (£*/  >  £,)  A  (ZdnotfinZSRMS(i/,  g',  t,  r,  R,  sc))) 
suspendednowZSRMSE(i,  q,  t,  r,  R,  sc)  =((37;/, 9'  s.t.  (£;/  >  Q)  A  (ZdnotfinZSRMSE(i',  g',  t,  r,  R,  sc)))A 

(Vt;/,9/  s.t.  (()/  >  Ci)  :  (ZdnotfinZSRMSE(i',  g',  t,  r,  R,  sc))  =£- 

(ZdnotfirdowexZSRMSE(i,1  t,  r,  R,  sc)))) 

terminatednowZSRMSE(i,  g,  t,  r,  R,  sc)  =(37y,9/  s.t.  (Ci'  >  Ci)  A  (ZdnotfinhiexZSRMSE(i,1  q  ,  t,  r,  R,  sc))) 
terminatedZSRMSE(i,  g,  t,  r,  R,  sc)  =(3 1'  s.t.  ( t 1  <  t)  A  (terminatednowZSRMSE(i,  g,  t' ,  r,  R,  sc))) 

eligZSRMS(i,  q,  t,  r,  R,  sc)  =((arrivednotfinZSRMS(i,  g,  t,  r,  R,  sc))  A  (-'SuspendednowZSRMS(i,  g,  t,  r,  R,  sc))) 
eligZSRMSE(i,  g,  t,  r,  R,  sc)  =((arrivednotfinZSRMSE(i,  q,  t,  t,  R,  sc))  A  (->suspendednowZSRMSE(i,  q,  t,  r,  R,  sc))A 

(-iterminated(i,  q,  t,  r,  R,  sc))) 

candZSRMS(»,  q,  t,  r,  R,  sc)  =((eligZSRMS(i,  q,  t,  r,  R,  sc))  A  (Vri'i9/  s.t.  prio^  >  prio;  :  -'eligZSRMS(i,1  </,  t,  r,  R,  sc))) 
candZSRMSE(i,  q,  t,  r,  R,  sc)  =((eligZSRMSE(i,  q,  t,  r,  R,  sc))  A  (Vrj'i9/  s.t.  prio^  >  prioi  :  -ieligZSRMSE(i/,  q',  t,  r,  R,  sc))) 
legMCS(R,  sc,  t,  iD,  qD)  =((V(i,g)  s.t.  (r»  Gr)A(gG  2..nji(R))  :  Ai<q(R)  -  Ai:9_i(R)  >  I))  A 

(V(i,g)  s.t.  (r»  Gr)A(?G  L.njJR))  A  (Ci  >  Cm)  :  Ci,,(R)  G  [0,Ci])A 
(V(*,«)  s.t.  (n  Gr)A(?G  l-nji(R))  A  (Ci  <  Cm)  :  Ci,,(R)  G  [0,C°])) 
successZSRMS(i,  (/,  r,  R,  sc)  =(/i,9( sc,  R)  <  Ai:q(R)  +  Di) 
successZSRMSE(i,  q,  r,  R,  sc)  =((-iterminated(i,  g,  A^q{R)  +  Di,r,  R,  sc))  A  (/i,9( sc,  R)  <  Ai,q(R)  +  Ri)) 

ZSRMSsch(r)  =(V(iD,  qD,  R,  sc)  s.t.  (7m  G  r)  A  (qD  G  {l..njiD(R)})A 

(legMCS(R,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  R,  r))  :  successZSRMS(iD,  qD,  r,  R,  sc)) 
ZSRMSEsch(r)  =(V(iD,  qD,  R,  sc)  s.t.  (7m  G  r)  A  (qD  G  {l..njiD(R)})A 

(legMCS(R,  sc,  r,  iD,  qD))  A  (legZSRMSEsch(sc,  R,  r))  :  successZSRMSE(iD,  qD,  r,  R,  sc)) 

Fig.  3:  Predicates  that  we  will  use. 


its  deadline.  The  predicate  successZSRMS(i,  q,  r,  R,  sc) 
indicates  that.  The  predicate  legMCS(R,  sc,  r,  iD,  qD)  is  true 
if  R  satisfies  certain  constraints  (expressing  arrival  times  and 
execution  times  of  jobs)  —  see  Fig.  [3]  Note  that  compared 
to  the  definition  of  a  legal  assignment  used  in  classic  fixed- 
priority  scheduling  without  mixed  criticalities,  our  definition 
of  legal  assignment  differs  in  two  ways  (i)  our  definition  takes 
a  schedule  as  input  whereas  the  classic  definition  does  not  and 
(ii)  our  definition  takes  a  task  and  job  index  as  input  whereas 
the  classic  does  not.  The  predicate  legZSRMSsch(sc,  R,  r) 
indicates  that  schedule  sc  can  be  generated  by  ZSRM- 
S  for  assignment  R  for  taskset  r.  The  predicate 
ZSRMSsch(r)  indicates  that  for  each  (R,  iD,qD,sc)  such 
that  legMCS(R,  sc,  r,  iD,  qD)  and  legZSRMSsch(sc,  R,  r), 
it  holds  that  successZSRMS(iD,  qD,  r,  R,  sc).  Intuitively,  the 
meaning  of  ZSRMSsch(r)  is  that  ZSRMSsch(r)  is  true  if 


each  job  J  meets  its  deadline  for  the  case  that  jobs  of  higher 
criticality  than  J  have  execution  times  that  are  bounded 
by  the  nominal  execution  times  (not  overload  execution 
times).  If  ZSRSMscIi(t)  is  true  then  we  say  that  the  taskset 
is  schedulable.  Conversely,  if  ZSRMSsch(r)  is  false  then 
we  say  that  the  taskset  is  unschedulable.  A  schedulability 
test  for  ZSRM-S  is  a  function  that  takes  r  as  input  and 
outputs  a  boolean.  For  schedulability  test  ST  associated  with 
ZSRM-S,  we  say  that  ST  is  an  exact  schedulability  test  if 
ST(t)  ^  ZSRMSsch(r). 

Schedulability  and  schedulability  test  of  ZSRM-SE.  The 

concepts  for  ZSRM-SE  are  analogous. 

III.  New  Schedulability  Test  for  ZSRM-S 
Our  goal  in  this  section  is  to  present  an  exact  schedula¬ 
bility  test  for  ZSRM-S.  Traditional  analysis  of  fixed-priority 
preemptive  scheduling  on  a  single  processor  relies  on  a  con- 
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Sets  : 


Constraints  : 


TS  =  {i'\(Ti>  G  t)  A  ((prioi/  >  prioiD)  V  (C v  >  On))},  TSHC(i)  =  {i'Krp  G  r)  A  (Q1  >  0)}- 
TSHP(i)  =  G  r)  A  (pricg,  >  prio;)},  QS(j')  =  {1.. PS  =  {1-3  x  Y 

*'  i'gTS  *' 


t1  =0 

V(i,  g)  s.t.  (*  G  TS)  A  (g  G  QS(i))  : 


V(z,  g,p)  s.t.  (i  G  TS)  A  (g  G  QS(i))  A  (pG  PS)  : 

(arrives?,  =  1)  =>  (donex? = 

(finishes?,  =  !)=>■  (donex?,  =  cq,) 


Vp  G  (PS  \  {|PS|})  :  tp  <  tp+1 
V(i,  q)  s.t.  (i  G  TS)  A  (g  G  (QS(i)  \  {1}))  :  A;,,  -  v4<l9_i  >  T; 

E  arrivesA9  =  1  E  finishes?,  =  1  Y  ZS?,  =  1 

p'e  PS  p'  GPS  p'GPS 

0)  (arrives?,  =  1)  =>  (A;,,  =  tp )  arrived)),  =  ^  arrives?, 

p'e{i..p} 

(finishes?,  =  1)  =>  (/i,9  =  tp )  finZSRMS?,  =  Y^  finishes?, 

p'e{i..p} 

(ZS?,  =  1)  =*  (Ai,t  +  Zt  =  tp)  Zdp,=  Y,  ZS(« 

p'efi-p} 


(arrivednotfinZSRMS?,  =  1)  ((arrivedf q  =  1)  A  (finZSRMSf  q  =  0)) 
(ZdnotfinZSRMSf),  =  1)  O  ((Zdf,  =  1)  A  (finZSRMS?,  =  0)) 
(suspendednowZSRMS?,  =  1)  =>  (  Y^,  ZdnotfinZSRMSp  ,,  >  1) 

i'gTSHC(i)  q'gQS(i') 


(suspendednowZSRMSf  q  =  0)  =>  (  "Y^  "Y^  ZdnotfinZSRMSp  q,  <  0) 

i'gTSHC(i)  q'gQS(i') 

(eligZSRMS?,  =  1)  <=>  ((arrivednotfinZSRMS?,  =  1)  A  (suspendednowZSRMS?,  =  0)) 
(candZSRMS?,  =  1)  ((eligZSRMS?,,  =  1)  A  (ApeTSHP(i)  A,,eQS(i0  (eligZSRMS?,,,,  =  0))) 

Vp  G  (PS  \  { |PS  | } )  : 

(busyZSRMSp  =  1)  =►  (  E  E  candZSRMS?,,,  >  1)  (busyZSRMSp  =  0)  =>  (  E  E  candZSRMS?,,,  <  0) 

T^e-r  q'eQS(i')  T^gT  q'gQS(i') 

V(i,  q,p)  s.t.  (i  G  TS)  A  (g  G  QS(*))  A  (PS  \  { |PS | } )  : 

(xZSRMS?,  =  1)  =$■  (donex?))1  =  donex?,,  +  tp+1  —  tp)  x?,,  <  candZSRMS?, 
Vp  G  (PS  \  {|PS|})  :  Y  E  xZSRMS?,,,  =  busyZSRMSp 

Ti/  gTS  <j'gQS(i') 

Vp  G  PS  :  (finishesfD  qD  =  1)  =>  (  Y^  busyZSRMSp  >  p  —  1) 

p'g{i..p-i} 


V(i,g)  s.t.  (i  G  TS)  A  (g  G  QS (*))  A  (&  >  On)  :  d,q  <  Ci 

V(i,  g)  s.t.  ( i  G  TS)  A  (g  G  QS(i))  A  (Ci  <  Cm)  :  d,q  <  C° 

Domains  of  variables  :tp  G  R>o,  A;,,  G  R>o,Ci,9  G  R>o,h,g  G  R>o,  donex?,  G  R>o,  arrives?,,  G  {0,  1},  arrived?,,  G  {0, 1}, 
finishes?,  G  {0, 1},  finZSRMS?,  G  {0, 1},  ZS?,,  G  {0, 1},  Zd?,  G  {0, 1},  arrivednotfinZSRMS?,,  G  {0, 1},  ZdnotfinZSRMS?,,  G  {0, 1}, 
suspendednowZSRMS?,,  G  {0, 1},  eligZSRMS?,,  G  {0, 1},  candZSRMS?,,  G  {0, 1},  busyZSRMS?,,  G  {0,  1},  xZSRMS?,,  G  {0, 1} 


Fig.  4:  Constraints  we  use  for  exact  schedulability  analysis  of  ZSRM-S. 


dition  for  critical  instant  lITOi  or  the  concept  busy  period  |8)- 
Unfortunately,  these  concepts  cannot  be  used  directly  for  exact 
schedulability  analysis  of  ZSRM-S  because  in  ZSRM-S,  a  job 
may  be  suspended.  Thus,  we  will  develop  new  ideas  and  put 
them  together  into  an  exact  schedulability  test  for  ZSRM-S. 

For  this  discussion,  let  feas(X)  denote  a  predicate  that  is 
true  if  and  only  if  X  (a  set  of  constraints)  is  feasible.  Let 
max{myobj|A'}  denote  the  largest  value  of  rnyobj  subject 
to  the  constraints  X.  Also,  let  ct(t,  iD,  qD)  denote  the  set  of 
constraints  in  Fig.  [4]  where  (i)  t  in  Fig.  |4]is  a  constant  which  is 
equal  to  the  1st  parameter  of  ct,  (ii)  iD  in  Fig.  [4] is  a  constant 


which  is  equal  to  the  2nd  parameter  of  ct,  and  (iii)  qD  in 
Fig.  [4]  is  a  constant  which  is  equal  to  the  3rd  parameter  of  ct. 

Our  first  lemma  states  certain  properties  of  a  time  interval 
for  an  unschedulable  taskset. 

Lemma  1. 

(-•ZSRMSsch(r))  =>■ 

(3(iD,  qD,  R,  sc)  s.t.  (riD  G  r)  A  (qD  G  { 1 . .njiD (i?)}) A 
(legMCS(i?,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  R,  r))A 

(/iD,qD(sC,  R)  —  AiD,qD  >  Ad)A 
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(for  schedule  sc,  it  holds  that  at  all  times 
before  time  0,the  processor  is  idle) A 
(for  schedule  sc,  it  holds  that  at  all  times 
in  [0,  /iD,qD(sc,  i?)],  the  processor  executes 
a  job  with  priority  >  prioiD  or  criticality  >  Cid)) 

Proof:  Assume  that  the  left-hand  side  of  the  lemma  is 
true.  Then,  from  the  definition  of  ZSRMSsch,  it  holds  that: 

3(iD,qD,i?,sc)  s.t.  (t;d  £  t)  A  (qD  €  {l..njiD(i?)})A 
(legMCS(i?,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  R,  r))A 
(-•successZSRMS(iD,  qD,  r,  R,  sc)) 

From  the  definition  of  successZSRMS  we  obtain  an  inequality, 
which  applied  on  the  above  yields  that: 

3(iD,  qD,  R,  sc)  s.t.  (riD  G  r)  A  (qD  £  {l..njiD(i?)})A 
(legMCS(i?,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  R,  r))A 

(/iD,qD (SC,  R)  —  AiD)qD  >  Ad) 

(1) 

In  the  schedule  sc  above,  we  can  form  a  time  interval  that 
(i)  ends  at  time  /iD,qD(sc,  R)  and  (ii)  begins  at  the  earliest 
time  such  that  in  this  time  interval,  only  jobs  with  priority 
>  prioiD  or  criticality  >  Co  execute.  One  can  delete  all  jobs 
arriving  before  this  time  interval.  We  can  also  set  the  origin  of 
the  time  axis  to  be  such  that  time  zero  is  the  time  when  this 
time  interval  begins.  Applying  this  reasoning  on  ([TJ  yields: 

3(iD,  qD,  R,  sc)  s.t.  (riD  £  r)  A  (qD  £  {l..njiD(R)})A 
(legMCS(i?,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  R,  r))A 
(/iD,qD(sc, R)  —  AiD.qD  >  Ad) A 
(for  schedule  sc,  it  holds  that  at  all  times 
before  time  0,  the  processor  is  idle)A 
(for  schedule  sc,  it  holds  that  at  all  times 
in  [0,  /iD,qD(sc,  i?)],the  processor  executes 
a  job  with  priority  >  prioiD  or  criticality  >  Cid) 

This  is  the  right-hand  side  of  the  lemma.  ■ 

Our  second  lemma  states  that  if  the  taskset  is  unschedulable 
then  there  exists  a  tuple  (iD,  qD,  t)  such  that  a  certain  problem 
is  infeasible  and  t  is  at  most  a  certain  bound.  When  expressing 
this  bound,  we  need  to  compute 

max  max{  /A  ary  |ct(f',  iD,  qD')  j 

qD'e{l..bjAl}A(feas(ct(i',iD,qD'))) 

(2) 

This  expression  means  the  folllowing:  (i)  iterate  over  all 
qD'  (which  may  be  different  from  qD),  (ii)  check  if  the 
current  qD'  is  such  that  ct(f',  iD,  qD')  is  feasible,  (iii)  if 
the  answer  to  the  preceding  question  is  yes,  then  evaluate 
max{/iD,qD'  |ct (i7,  iD,  qD')},  and  (iv)  take  the  maximum  of 
the  computed  values.  One  can  see  that  for  qD'  =  1,  it  holds 
that  ct(t',  iD,  qD')  is  feasible.  Hence,  the  evaluation  in  step  (ii) 
is  true  for  at  least  one  iteration.  And  hence,  the  expression  in 


0  is  well  defined.  With  this,  we  can  state  our  second  lemma. 
Lemma  2. 

(-•ZSRMSsch(r))  => 

(3(iD,qD,f)  s.t.  (t  >  0)  A  (riD  £  r)  A  (qD  £  {1..|"-^]})A 

-MD 

(feas({/iD,qD  -  ^iD.qD  >  Ad}  Uct(f,iD,qD)))A 

(t< 

min{t'|t'  =  max 

qD'e{l..  [  jA]}A(feas(ct(t',iD,qD'))) 

max{/iD,qD'  |ct(f',  iD,  qD')}})) 

Proof:  Assume  that  the  left-hand  side  of  the  lemma  is 
true.  Then,  using  Lemma  [I]  yields  that: 

3(iD,  qD,  R,  sc)  s.t.  (riD  £  r)  A  (qD  £  {l..njiD(f?)})A 
(legMCS(i?,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  f?,  r))A 
(/iD,qD (SC,  R)  —  AiD,qD  >  Ad)A 
(for  schedule  sc,  it  holds  that  at  all  times 
before  time  0,tlie  processor  is  idle) A 
(for  schedule  sc,  it  holds  that  at  all  times 
in  [0,  /iD,qD(sc,  R)],  the  processor  executes 
a  job  with  priority  >  prioiD  or  criticality  >  £)d) 

(3) 

Clearly,  in  the  schedule  sc  above,  the  rules  of  dispatching 
(expressed  in  Fig.  [3j  applies  and  the  assignment  R  is  legal.  Let 
us  consider  the  part  of  schedule  sc  during  [0,  /iD,qD(sc,  R)) 
and  let  us  introduce  t  as  t  =  /iD,qD(sc,  R).  We  can  en¬ 
code  this  schedule  with  variables  and  constraints  —  indeed 
ct(t,iD,qD),  expressed  in  Fig.  [4]  does  that.  One  can  under¬ 
stand  this  encoding  as  follows:  Clearly,  for  each  task  7y,  there 
are  at  most  |" tjC]  jobs  of  t,/.  Then  we  introduce  variables  that 
are  direct  analogs  of  the  assignment  R.  The  variable  A,>q' 
in  Fig.  [4]  is  the  arrival  time  of  Ty,fy  and  c,:  ql'  in  Fig.  [4]  is 
the  execution  time  of  t,/  >q>.  In  Fig.  [4]  TS  denotes  the  set  of 
task  that  can  generate  jobs  that  can  execute  in  the  time  interval 
[0,  i].  In  Fig.  0  QS(i')  denotes  the  set  of  indices  of  jobs  of  task 
rti  that  can  execute  in  the  time  interval  [0.  t],  Recall  that  an 
instant  is  a  schedinst  if  there  is  a  job  that  arrives  at  this  instant 
or  there  is  a  job  that  finishes  at  this  instant  or  there  is  a  job 
that  has  its  zero-slack  instant  at  this  instant.  Since  we  consider 
a  time  interval  of  duration  t,  and  no  jobs  arrive  before  the  time 
interval,  it  holds  that  there  are  at  most  3x  JL,eTS  [ -A- ]  instants 
that  are  schedinst.  We  can  divide  time  into  sub-time-intervals 
that  are  non-intersecting  and  that  these  instants  separate  the 
sub-time-intervals.  This  gives  us  that  (i)  a  sub-time-interval 
begins  at  an  instant  that  is  a  schedinst  and  (ii)  if  a  sub-time- 
interval  is  not  the  last  one,  then  it  ends  at  an  instant  that  is 
a  schedinst  and  (iii)  within  a  sub-time-interval,  there  is  no 
instant  that  is  a  schedinst.  We  call  these  sub-time-intervals 
positions  and  we  let  tp  denote  the  time  when  the  pth  position 
starts.  There  are  at  most  3  x  Si'eTsTryl  ~  3  positions.  We 
let  PS  denote  the  set  PS  =  { 1 . .3  x  Xx'gxs  TttI }>  i-e->  if 
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p'  <  |PS|  —  1  then  tp  is  the  beginning  of  the  p'th  position 
and  if  p'  =  |PS|  then  tp  is  the  end  of  the  p'  —  1th  position 
(the  last  position).  Since  we  consider  the  time  interval  [0,  f], 
it  holds  that  the  first  position  starts  at  time  0,  that  is,  t 1  =  0. 
For  each  position  that  is  not  the  first  position,  it  holds  that 
its  starting  time  is  constrained  to  be  at  least  as  large  as  the 
starting  time  of  its  predecessor  position;  we  express  it  as 
Mp  G  (PS  \  {!})  :  tp~l  <  tp. 


We  can  then  express  whether  an  event  occurs  in  the 
beginning  of  a  position,  arrives^  is  a  variable  in  {0, 1}; 
if  arrives^  =  1  then  it  means  that  arrives  in  the 
beginning  of  position  p.  arrived^  is  a  variable  in  {0, 1};  if 
arrived}*  =  1  then  it  means  that  Ti,q  arrives  in  the  beginning 
of  position  p  or  in  an  earlier  position,  finishes^  is  a  variable 
in  {0,1};  if  finishes}*  =  1  then  it  means  that  T,^q  finishes 
in  the  beginning  of  position  p.  finZSRMSf^  is  a  variable  in 
{0,1};  if  finZSRMSfg  =  1  then  it  means  that  finishes 
in  the  beginning  of  position  p  or  in  an  earlier  position.  ZSf  ? 
is  a  variable  in  {0, 1};  if  ZS}*9  =  1  then  it  means  that  rJ)9 
arrives  exactly  Z,  before  the  beginning  of  position  p.  Zd}(y  is 
a  variable  in  {0,1};  if  Zd}*9  =  1  then  it  means  that  there 
is  a  position  p'  <  p  such  that  ZS{9  =  1.  Fig.  [i  shows 
predicates  and  these  predicates  describe  dispatching !~We  can 
introduce  variables  that  describe  if  a  predicate  is  true  for 
a  job  at  a  time  which  is  the  beginning  of  a  position.  For 
example,  arrivednotfinZSRMSf^  is  a  variable  in  {0,1};  if 
arrivednotfinZSRMSf  =  1  then  it  means  that  Ti  q  arrives  in 
the  beginning  of  position  p  or  earlier  and  r,q  finishes  in  the 
beginning  of  a  position  later  than  p.  In  Fig.  [4]  we  express 
this  as  (arrivednotfinZSRMS^  =  1)  <G>  ((arrived}^  = 
1)  A  (finZSRMSf ’  =  0)).  Other  variables  in  Fig.  0  describe 
predicates  in  Fig.  [3]  analogously.  In  the  end,  we  obtain  a  vari¬ 
able  candZSRMSfg  which  describes  that  rl  q  is  a  candidate 
for  execution  in  the  beginning  of  position  p.  Recall  that  a  job 
is  a  candidate  for  execution  if  it  is  eligible  and  there  is  no  other 
eligible  job  with  higher  priority  at  this  time.  We  then  introduce 
xZSRMSfg  which  is  a  variable  in  {0, 1};  if  xZSRMS}*9  =  1 
then  it  means  that  ly  q  executes  in  position  p.  Clearly,  a  job 
can  only  execute  if  it  is  a  candidate.  In  Fig.  [4]  we  express 
this  as  xZSRMS}^  <  candZSRMSfg.  The  above  reasoning 
yields: 

3(iD,  qD,  t)  s.t.  (f  >  0)  A  (riD  €  r)  A  (qD  €  {1..|"-^]})A 

JiD 

(feas({/iD,qD  —  4liD,qD  >  Ad}  U  {/iD,qD  =  f}U 

ct(f,  iD,  qD))) 

(4) 

Let  us  now  discuss  the  length  of  the  busy  period  mentioned  in 
<|3j.  It  can  be  seen  that  if  7iD,qD  misses  its  deadline  in  a  time 
interval  where  only  jobs  with  priority  >  prioiD  or  criticality 
>  CiD,  then 

/iD,qD (sc,  R)  <  min{t'|t'  =  max{/iD,qD|ct(f',  iD,  qD)}} 


Clearly,  since  t  =  /iD,qD(sc,  R),  we  obtain: 

t  <  min{t'|f'  =  max{/iD,qD|ct(f,,iD,qD)}} 


The  right-hand  side  of  this  expression  contains  the  symbol 
qD.  We  would  like  to  find  an  upper  bound  that  does  not  depend 
on  qD.  It  can  be  seen  that: 


t  <  min{f,|f/  =  max  max{/;D  qD'  lct(A  iD,  qD')}} 
qD'e{l„r^Ll} 

Combining  it  with  (j4|  yields: 

3(iD,  qD,  t)  s.t.  (f  >  0)  A  (riD  Sr)  A  (qD  e  {1„  })A 

JiD 

(feas({/iD,qD  —  ^iD,qD  >  Ad}  U  {/iD,qD  =  f}U 

ct (t,  iD,  qD)))A 


(t< 


min{f,|t/  =  max 

qD'Gfl  }A(feas(ct(t/,iD,qD/))) 

max{/iDlqD'  |ct(f',  iD,  qD')}}) 


Dropping  one  constraints  cannot  cause  infeasibility.  Hence,  by 
dropping  {/; D.qD  =  f}  from  the  above,  we  have: 

3(iD,  qD,  t)  s.t.  (t  >  0)  A  (riD  G  r)  A  (qD  G  {1„{^-1})A 

^iD 

(feas({/iD,qD  -  -4iD,qD  >  Ad}  U  ct(f,iD,qD)))A 
(t< 

min{t,|^,  =  max 

qD'£{l..  ( }A(feas(ct(t/,iD,qD/))) 

max{/iD,qD'  |ct(A,  iD,  qD')}}) 


This  is  the  right-hand  side  of  the  lemma.  ■ 

Our  third  lemma  states  how  a  change  in  t  impacts  certain 
inequalities. 


Lemma  3.  If  ta  <  tb  then  it  holds  that: 

(3(iD,qD)  s.t.  (riD  G  r)  A  (qD  G  {l.-T^}})  A 
(feas({/iD,qD  -  AliD,qD  >  Ad}  U  ct (ta,  iD,  qD)))) 


(3(iD,qD)  s.t.  (riD  G  r)  A  (qD  G  {l..}^-]})  A 

(feas({/iD,qD  ^  ^4iD,qD  >  Ad}  U  ct(t6,  iD,  qD)))) 

Proof:  Assume  that  the  left-hand  side  is  true.  Since  the 
left-hand  side  is  true,  we  know  that  there  is  a  solution  to 
the  constraints.  We  can  copy  that  solution  to  use  it  to  satisfy 
the  constraints  on  the  right-hand  side  and  then  for  the  new 
variables  that  only  exists  on  the  right-hand  side  but  not  on  the 
left-hand  side,  we  can  set  them  to  zero.  This  yields  a  solution 
to  the  constraints  on  the  right-hand  side.  And  hence  the  right- 
hand  side  is  true.  ■ 

Our  fourth  lemma  states  certain  inequalities  for  an  un- 
schedulable  taskset  (it  differs  from  the  second  lemma  only 
in  that  it  uses  =  instead  of  <)  on  the  right-hand  side. 
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Lemma  4. 


(-iZSRMSsch(r))  =► 

(3(iD,  qD,  t)  s.t.  {t  >  0)  A  (riD  £  r)  A  (qD  £  {l..|"-^-]})A 

-UD 

(feas({/iD,qD  -  -4iD,qD  >  Ad}  U  ct(t,  iD,  qD)))A 

(t  = 

min{i  \t'  =  max 

qD'G{l..  f  }A(feas(ct(t/,iD,qD/))) 

max{/iD,qD'  |ct (t',  iD,  qD')}})) 


Proof:  Follows  from  applying  Lemma  [3]  on  Lemma  [2]  ■ 
We  will  now  discuss  another  direction  of  implication;  we 
will  discuss  4=  instead  of  =>.  Our  fifth  lemma  states  that  if 
certain  inequalities  are  true  then  the  taskset  is  unschedulable. 


Lemma  5. 


(-iZSRMSsch(r))  4= 

(3(iD,qD,f)  s.t.  (t  >  0)  A  (riD  G  r)  A  (qD  £  {l..f-^-]})A 
(feas({/iD,qD  -  ^iD.qD  >  Ad}  U  ct (t,  iD,  qD)))) 

Proof:  Assume  that  the  right-hand  side  of  the  lemma  is 
true.  Then  there  exists  a  (iD,  qD,  t)  such  that  the  right-hand 
side  is  true.  Since  the  constraints  on  the  right-hand  side  are 
feasible,  we  have  an  assignment  of  values  to  the  variables  in 
ct(f,iD,qD)  and  with  this  assignment  of  values  to  variables 
we  obtain  an  assignment  R  and  can  (based  on  the  discussion 
in  Lemma  [2]  and  using  R),  construct  a  schedule  during  [0,i] 
such  that  t iD,qD  misses  its  deadline.  Hence,  it  holds  that 

3(iD,  qD,  R,  sc)  s.t.  (riD  £  r)  A  (qD  £  {l..njiD(i?)})  A 
(legMCS(R,  sc,  r,  iD,  qD))  A  (legZSRMSsch(sc,  R,  r))A 

(/iD,qD  —  2liD,qD  >  Ad) 


1.  allOK  :=  true 

2.  for  each  tid  £  r,  as  long  as  allOK  do 

3.  t  :=  —1;  newt  :=  C°0 

4.  while  (t  <  newt)  do 

5.  t  :  =  newt 

6.  flag  :=  false 

7.  for  each  qD'  £  {l.,f ^L-]}  do 

8.  <  fe,  va  >:=  solve(max{/iDjqD/ |ct(t,  iD,  qD')}) 

9.  if  fc  then 

10.  if  flag  then  newt  :=  max(newt,  va) 

11.  else  newt  :=  va;  flag  :=  true 

12.  end  if 

13.  end  if 

14.  end  for 

15.  end  while 

16.  for  each  qD  £  {1..}^-]},  as  long  as  allOK  do 

17.  if  feas({/iD,qD  —  AjD.qD  >  Ad}U 

ct(f,iD,qD))  then 

18.  allOK  :=  false 

19.  end  if 

20.  end  for 

21.  end  for 

22.  return  allOK 

Fig.  5:  An  algorithm  for  ZSRM-S  schedulability  testing. 

Lemma  7. 

(-iZSRMSsch(r)) 

(3(iD,  qD,  t)  s.t.  (f  >  0)  A  (riD  £  r)  A  (qD  £  {1..(^-1})A 

2  iD 

(feas({/iD,qD  -  Ad.qD  >  Ad}  U  ct (t,  iD,  qD)))A 

(t  = 

minlt'lf'  =  max 

qD/G{l..  1  f~~\  } A(feas(ct .iD.qD' ))) 

max{/iD,qD'  |ct (t',  iD,  qD')}})) 

Proof:  Follows  from  Lemma  [4]  and  Lemma  [6]  ■ 

We  then  present  an  exact  conditions  for  schedulability. 


This  can  be  rewritten  as  : 


Theorem  1. 


(^ZSRMSsch(r)) 

This  is  the  left-hand  side  of  the  lemma.  ■ 

We  can  consider  Lemma  [5]  but  add  additional  constraints  on 
the  right-hand  side. 

Lemma  6. 

(-iZSRMSsch(r))  4= 

(3(iD,  qD,  t)  s.t.  (t  >  0)  A  (riD  £  r)  A  (qD  £  {l..f-^-]})A 

J-iD 

(feas({/iD,qD  -  AD.qD  >  Ad}  U  ct(t,  iD,  qD)))A 
(t  = 

min{t'|f'  =  max 

qD'G{l..  |"  }A(feas(ct(t/,iD,qD/))) 

max{/iD,qD'  |ct(A,  iD,  qD')}})) 

Proof:  Follows  from  Lemma  [5]  ■ 

We  then  present  an  exact  condition  for  unschedulability. 


ZSRMSsch(r)  <f=> 

(ViD  s.t.  (riD  £  t)  : 
for  t  = 

min{t'|t'  =  max 

qD/G{l..  f  7jrL]}A(feas(ct(t/,iD,qD/))) 

max{/iDiqD'  |ct(t/,  iD,  qD')}}  : 

VqD  £  { 1 . .  [  ] }  : 

-ifeas({/iD,qD  -  AD,qD  >  Ad}  U  ct (t,  iD,  qD)) 

) 

Proof:  Follows  from  rewriting  Lemma  |7]  ■ 

Evaluating  the  right-hand  side  of  The¬ 
orem  [T]  requires  calculating  min{t'|t'  = 

maxqD'e{i..r^l}  max{/iD,qD'|ct(t',iD,qD')}} 

—  let  tmin  denote  this.  It  can  be  seen  that 
maxqD/6{i  r^n  max} /id, qD'  let  (A  iD,  qD')}  is  non¬ 
increasing  with  increasing  t'  (follows  from  reasoning 
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1.  allOK  :=  true 

2.  for  each  Tm  £  r,  as  long  as  allOK  do 

3.  t  :=  —1;  newt  :=  C°y> 

4.  while  (t  <  newt)  and  allOK  do 

5.  t  :=  newt 

6.  for  each  qD  €  {l..[ },  as  long  as  allOK  do 

7.  if  feas({/iD,qD  —  ^4iD,qD  >  Ad}U 

ct(f,  iD,  qD))  then 

8.  allOK  :=  false 

9.  end  if 

10.  end  for 

11.  if  allOK  then 

12.  flag  :=  false 

13.  for  each  qD' e  {l..[jTj]}  do 

14.  <  fe,  va  >:=  solve(max{/iD!qD/  |ct(f,  iD,  qD')}) 

15.  if  fe  then 

16.  if  flag  then  newt  :=  max(newt,  va) 

17.  else  newt  :=  va;  flag  :=  true 

18.  end  if 

19.  end  if 

20.  end  for 

21.  end  if 

22.  end  while 

23.  end  for 

24.  return  allOK 

Fig.  6:  An  algorithm  for  ZSRM-S  schedulability  testing;  it  is 
optimized  for  detecting  clearly  unschedulable  tasksets  quickly. 


analogous  to  the  reasoning  in  the  proof  of  Lemma  [3j. 
Therefore,  we  can  evaluate  tmin  with  standard  iterative 
procedure.  Fig.  [5]  is  an  algorithm  that  uses  such  an 
iterative  procedure  to  perform  the  schedulability  test 
as  expressed  by  Theorem  [I]  We  use  the  notation 
<  fe,  va  >:=  solve(max{PROB})  to  state  that  the 
optimization  problem  PROB  should  be  solved  and  fe  is  a 
boolean  which  is  true  if  the  problem  is  feasible  and  false 
otherwise;  if  the  problem  is  feasible  then  ve  is  the  value  of 
the  objective  function  for  an  optimal  solution. 

For  many  tasksets  that  are  unschedulable,  it  holds  that 
there  is  a  job  that  misses  its  deadline  at  an  early  time  in 
a  busy  period.  Unfortunately,  Fig.  [5]  requires  that  we  obtain 
t  >  newt  before  we  can  even  start  checking  the  existence 
of  deadline  misses.  We  would  like  to  get  early  termination 
for  such  tasksets.  By  using  Lemma  [5]  we  can  check  a  given 
(iD,  qD,  t )  to  see  if  it  satisfies  certain  conditions  and  if  this  is 
the  case,  we  know  that  the  taskset  is  unschedulable.  We  can 
apply  this  condition  for  the  t  after  line  5  in  Fig.  [5]  By  adding 
such  a  check,  we  know  that  lines  16  to  20  in  Fig.  [5]  are  not 
needed.  With  these  observations,  we  can  rewrite  the  algorithm 
Fig.  [5]  into  the  algorithm  in  Fig.  [6] 

IV.  New  Schedulability  Test  for  ZSRM-SE 

In  this  section,  we  present  an  exact  schedulability  test  for 
ZSRM-SE.  Note  that  ZSRM-SE  differs  from  ZSRM-S  in  only 
two  ways.  First,  the  definition  of  success  of  a  job  is  different; 
a  job  can  be  not-success  if  the  job  misses  its  deadline  (just 
like  in  ZSRM-S)  but  a  job  can  also  be  not-success  if  it  is 
terminated.  Second,  the  schedules  that  can  be  generated  by 
ZSRM-SE  are  different  from  the  ones  that  can  be  generated 


by  ZSRM-S.  Hence,  use  the  constraints  in  Fig.  |4] as  a  starting 
point  and  observe  that  ZSRM-SE  is  impacted  by  termination 
condition  and  hence,  we  add  constraints  for  that  and  this 
results  in  the  constraints  in  Fig.  [7]  Note  that  in  Fig.  [7]  we  have 
a  variable  terminatednowf  with  the  interpretation  that  if 
terminatednow^  =  1  then  ri  q  is  terminated  at  the  beginning 
of  position  p.  There  is  also  a  predicate  terminated^  with  the 
interpretation  that  if  terminated^  =  1  then  Ti>q  is  terminated 
at  the  beginning  of  position  p  or  earlier.  With  these  variables, 
we  can  define  eligZSRMSEf  that  describe  whether  ntq  is 
eligible  at  the  beginning  of  position  p\  it  is  calculated  based 
on  terminated^.  Therefore,  if  TjD.qD  is  a  not-success  job 
then  it  holds  that  the  there  is  a  f  such  that  the  following 
constaints  are  feasible:  {( (terminated^ qD  =  1)  V  (/iD.qD  > 
^4iD,qD  +  Ad))}  U  ct2(f,  iD,  qD),  where  ct2  is  the  set  of 
constraints  in  Fig.  [7]  and  PS  is  the  last  position.  We  also 
introduce  ft iq  —  meaning  failure  time  —  which  is  a  variable 
that  states  the  time  that  Tqq  generated  a  failure.  If  ri  q  is 
terminated  then  t'tlq  is  the  time  when  it  got  terminated.  If 
Ti,q  is  not  terminated  then  ft,  f/  is  the  time  when  it  finished. 
Our  formulation  here  also  differ  from  the  one  in  the  previous 
section  in  that  the  number  of  scheduling  instants  is  greater; 
here  each  job  can  generate  four  scheduling  instants  —  the  time 
when  a  job  has  executed  exactly  its  nominal  execution  time 
can  be  a  scheduling  instant  as  well  (because  job  termination 
can  happen  at  such  an  instant). 


Theorem  2. 

ZSRMSEsch(r) 
(ViD  s.t.  (tjd  S  t)  : 


for  t  = 

m.va.{t'\t'  =  max  maxjftiD  qD'  |et2(t/ ,  iD,  qD')}}  : 
qD'e{l„r^l} 


VqD  e  {l..r— 1}  : 


-Teas({ (terminated^ qD  =  1)  V  (/iD,qD 


^4iD,qD  >  Ad)}U 
ct2(f,  iD,  qD)) 


) 


Proof:  This  is  a  direct  extension  of  Theorem  |T]  ■ 

Fig.  [8]  is  an  algorithm  that  uses  such  an  iterative  procedure 
to  perform  the  schedulability  test  as  expressed  by  Theorem  [2] 


V.  Our  tool 

Recall  Fig.  [5]  presented  an  algorithm  for  performing  ex¬ 
act  schedulability  analysis  of  ZSRM-S  and  Fig.  [7]  presented 
an  algorithm  for  performing  exact  schedulability  analysis  of 
ZSRM-SE.  These  algorithms  have  in  common  that  they  check 
if  a  set  of  constraints  is  feasible  and  they  also  solve  a 
problem  of  maximizing  an  objective  function  subject  to  certain 
constaints.  Some  of  the  constraints  mentioned  are  not  MILP  — 
they  have  binary  variables  and  logical  operators.  We  will  now 
discuss  how  to  convert  them  to  MILP.  In  our  problems,  we  can 
add,  for  each  real  variable  a  the  constraint:  a  <  BIG  where 
BIG  is  a  constant  computed  as  BIG  =  '^2T.eT\^r~\  x  C°. 
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Sets  : 


Constraints 


t=  0 


TS  =  {*' \{n>  G  r)  a  ((priOj/  >  prioiD)  V  (C;'  >  On))}, TSHC(i)  =  {«'|(t;/  G  t)  A  (O'  >  0)}, 
TSHP(i)  =  {i'|(v  G  r)  A  (prkv  >  prio;)},  QS(i')  =  {1..(^1},PS  =  {1-4  x  E 

?  i'GTS  l' 

Vp  €  (PS  \  {|PS|})  :  tp  <  tp+1  : 
V(i,q)  s.t.  (i  £  TS)  A  {q  £  (QS (i)  \  {1}))  :  A;,,  -  Ag,_ 1  >  T) 
V(i,?>  s.t.  (i  €  TS)  A  {q£  QS(*))  :  E  arrives?,  =  1  E  ZS?,  =  1 


p'GPS 


p'GPS 


V (i,  q,p)  s.t.  (i  £  TS)  A  (q  £  QS (*))  A  (p  £  (PS  \  {|PS| }))  :  finishes?,  =  1  —  terminated?, 

p'SPS 

(arrives?,  =  1)  =>  (donex?,  =  0)  (arrives?,  =  1)  =>  (A*,,  =  tp)  arrived?,  =  arrivesf , 

p'e{i.p} 

(finishes?,  =  1)  =4-  (donex?,  =  cg9)  (finishes?,  =  1)  =4-  (/i,9  =  tp)  fin?,  =  E  finishes?, 

p'e{i..p> 

(ZS?,  =  1  )=>{Ai,q  +  Zi=1?)  Zd?,  =  E  ZSC 

p'ef  i..p} 

(doneexactly?,  =  1)  =>  (donex?,  =  Ci)  doneexactlyf  ,  =  highexeandnotterminatedf, 

p'e{i-} 

(highexeandnotterminatedf  ,  =  1)  4=>  ((arrived?,  =  1)  A  (atmostnom?,  =  0)  A  (terminated?,  =  0)) 

(arrivednotfin?,  =  1)  <=>  ((arrived?,  =  1)  A  (fin?,  =  0)) 
(Zdnotfin?,  =  1)  ((Zd?,  =  1)  A  (fin?,  =  0)) 

(atmostnom?,  =  1)  -4=  (donex?,  <  Ci) 
(atmostnom?,  =  0)  -4=  (donex?,  >  Ci) 
(Zdnotfinandnotatmostnom?,  =  1)  •$=>  ((Zd?,  =  1)  A  (fin?,  =  0)  A  (atmostnom?,  =  0)) 

terminated?  =  >  terminatednow?  „ 

/  _j  i,q 

p'e{i-p} 

(suspendednowf,  =  1)  =>  (  E  E  Zdnotfin?,  ,,  >  1) 

i'eTSHC(i)  q'eQS(i') 

(suspendednow?,  =  0)  =>  (  E  E  Zdnotfin?,  ,,  <  0) 

i'eTSHC(i)  9'eQS(i') 

(terminatednow?,  =  1)  ==>  (  E  E  Zdnotfinandnotatmostnom^,  ,  >  1) 

i'GTSHC(i)  q'GQS(i') 

(terminatednow?,  =  0)  =*•  (  E  E  Zdnotfinandnotatmostnom^,  ,  <  0) 

i'GTSHC(i)  g'eQS(t') 

(eligZSRMSE?,  =  1)  4=>  ((arrivednotfin?,  =  1)  A  (suspendednow?,  =  0)  A  (terminated?,  =  0)) 
(candZSRMSE?,  =  1)  ((eligZSRMSE?,  =  1)  A  (A^tshpm  A,’'€QS(i')  (eligZSRMS^,  =  0))) 
(busyp  =  1)  =>  (  E  E  candZSRMSE?,  ,,  >  1)  (busyp  =  0)  (E  E  candZSRMSE?,^,  <  0) 

Ti'GTq'eQSfi')  T^er  q'eQS(i') 

Kq  =  1)  =»  (donex^1  =  donex?,  +  tp+1  -  tp)  xf_,  <  candZSRMSE?, 

Vp  €  (PS  \  {|PS|})  :  E  E  xi',q'  =  busyP 

v6T9'eQS(i') 

Vp  G  PS  :  (finishes?D  qD  =  1)  =>  (  busyp  >  p  —  1) 

p'e{i-p— i} 

V(i,  q)  s.t.  (*  G  TS)  A  (q  £  QS (i))  A  (0  >  0d)  :  cij9  <  Ci  V(i,  q)  s.t.  (i  £  TS)  A  (q  £  QS(i))  A  (0  <  0d)  :  c%,q  <  C° 

(terminatediD,qD  =  0)  =4-  (ft  =  /io.qD)  Vp  G  PS  :  (terminatednowfD  qD  =  1)  =>  (ft  =  tp) 

Domains  of  variables  :tp  G  R>o,  A?,  G  R>o,  arrives?,  G  {0, 1},  arrived?,  G  {0, 1},  fg9  G  R>o,  finishes?,  G  {0, 1}, 
fin?,  G  {0, 1},  ZS?,  G  {0, 1},  Zd?,  G  {0, 1},  donex?,  G  R>0,  c;,9  G  {0, 1},  arrivednotfin? q  £  {0, 1},  Zdnotfin?,  G  {0, 1}, 
suspendednowf  ,  G  {0, 1},  eligZSRMSE^,  G  {0, 1},  candZSRMSEf  ,  G  {0,  l},busyp  G  {0,  l},x?,  G  {0, 1},  ft  G  R>o 


Fig.  7:  Constraints  we  use  for  exact  schedulability  analysis  of  ZSRM-SE. 
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1.  allOK  :=  true 

2.  for  each  Tm  £  r,  as  long  as  allOK  do 

3.  t  :=  —1;  newt  :=  C°y> 

4.  while  (t  <  newt)  and  allOK  do 

5.  t  :=  newt 

6.  for  each  qD  €  {l..[j/-]},  as  long  as  allOK  do 

7.  if  feas({(terminated|ifiqD  =  1)V 

(/iD,qD  -  ^4iD,qD  >  Ao)}Uct2(t,  iD,qD))  then 

8.  allOK  :=  false 

9.  end  if 

10.  end  for 

11.  if  allOK  then 

12.  flag  :=  false 

13.  for  each  qD' e  {l..[jA]}  do 

14.  <  fe,  va  >:= 

solve(max{ft|ct2(t,  iD,  qD')}) 

15.  if  fe  then 

16.  if  flag  then  newt  :=  max(newt,  va) 

17.  else  newt  :=  va;  flag  :=  true 

18.  end  if 

19.  end  if 

20.  end  for 

21.  end  if 

22.  end  while 

23.  end  for 

24.  return  allOK 

Fig.  8:  An  algorithm  for  ZSRM-SE  schedulability  testing;  it  is 
optimized  for  detecting  clearly  unschedulable  tasksets  quickly. 

And  this  does  not  change  feasibility.  A  constraint  of  the  form 
(x  =  1)  =4-  (a  =  b)  can  be  rewritten  as:  (( x  =  1)  =>  (a  < 
b ))  A  ((&  =  1)  =>  (a  >  b)).  Note  that  if  x  is  a  variable  with 
the  domain  {0, 1}  and  a  and  b  are  non-negative  real  variables 
and  BIG  is  a  constant  selected  so  that  a  <  BIG  and  b  <  BIG, 
then  a  constraint  (x  =  1)  =>  (a  <  b)  can  be  rewritten  as 

a  -  b  +  BIG  x  x  <  BIG  (5) 

Also,  a  constraint  of  the  form  (a  =  1)  4=>  (b  =  1)  A  (c  =  1) 
can  be  rewritten  as  (6  +  c  —  a  <  1)  A  {b  +  c  —  2a  >  0). 
Consider  the  constraint:  (suspendednowZSRMSf  =  1)  => 
Ei'GTSHC(i)  Sg'eQS(i')  ZdnotfinZSRMS?,g,  >  1).  When 
we  rewrite  it,  we  use  BIG  =  1  +  (X^'gtshcg)  | QS(z') | ). 

With  these  techniques,  we  can  rewrite  the  optimization 
problems  and  feasibility  checking  problems  are  MILP.  Indeed, 
we  have  done  so  and  implemented  a  tool  that  performs  these 
computations.  Our  implementation  uses  Gurobi  6.0.3  —  a 
state-of-the-art  MILP  solver. 

VI.  Conclusions 

Zero-Slack  Rate-Monotonic  (ZSRM)  is  a  mixed-criticality 
scheduler  which  suspends  a  low-criticality  tasks  when  a  high- 
criticality  tasks  has  not  finished  at  a  certain  time.  Previous 
work  has  made  available  implementations  of  a  ZSRM  sched¬ 
uler  in  the  Linux  kernel  and  in  Vx Works,  as  well  as  a  sufficient 
schedulability  test  for  it  and  this  schedulability  test  is  available 
to  software  practitioners  in  the  OSATE  AADL  workbench. 
And  a  modification  of  it  was  used  in  a  UAV  system  to  ensure 
that  an  overload  in  vision  processing  does  not  jeopardize 
deadline  guarantees  of  flight-control  software  |6|.  Hence,  we 


believe  ZSRM  is  one  of  the  most  practical  ideas  in  mixed- 
criticality  scheduling.  Unfortunately,  no  exact  schedulability 
analysis  was  available  for  ZSRM  schedulers.  Therefore,  in  this 
paper,  we  presented  exact  schedulability  tests  for  two  ZSRM 
schedulers. 
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